|
|
| Line 1: |
Line 1: |
| =Qt Network Session – Qt Contributors Summit 2013=
| |
|
| |
|
| ==Talking Points==
| |
|
| |
| * Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
| |
| * Who is working on the stack?
| |
| * What’s up with the constant failing tests in the CI, and how can we fix the situation?
| |
| * Support for diffie-hellman ciphers
| |
| * Support for redirects
| |
| * Pause on connect
| |
| * Performance
| |
| * Peter’s chromium qnam port
| |
| * Automatic fallback support
| |
| * Certificate store <span class="caps">API</span> / Caching intermediates
| |
| * <span class="caps">OCSP</span> support
| |
| * Replacing the <span class="caps">QNAM</span> disk cache
| |
| * <span class="caps">HTTP</span> 2.0 / <span class="caps">SPDY</span> support
| |
| * Web sockets
| |
| * Enginio and Qt network
| |
| * Webkit2 and custom QNetworkAccessManagers
| |
|
| |
| Off topic, but related:
| |
|
| |
| * PBKDF2 / BCrypt support (QtCore really)
| |
| * Should we warn if running as root? If running suid?
| |
|
| |
| Notes by Thiago:
| |
|
| |
| * DH key exchange
| |
| ** no public <span class="caps">API</span>
| |
| ** easy to implement, hard to test
| |
| * <span class="caps">OCSP</span>
| |
| ** adds latency: needs to query the <span class="caps">OCSP</span> server
| |
| ** Richard implemented one year ago
| |
| ** still works, but hasn’t worked on it in a while
| |
| ** enabled by default
| |
| ** QSslSocket level
| |
| * Certificate store:
| |
| ** storing intermediate certs from broken servers that don’t return the whole chain
| |
| ** browsers do that to work around issues in the wild
| |
| ** adds security
| |
| ** certificates are not trusted, so they don’t add a new security attack vector
| |
| ** virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
| |
| * <span class="caps">QNAM</span> redirects
| |
| ** discussed in the DD Contributor Day
| |
| ** vector for insecurity (users do it wrong)
| |
| ** should be configurable
| |
| ** we don’t need to fix this for the browser case → they already have the code
| |
| ** we need it only for the simple application cases
| |
| ** allow redirect from <span class="caps">HTTP</span> to <span class="caps">HTTPS</span>, allow within-protocol
| |
| ** could work with pausing
| |
| ** readyRead & metaDataChanged from the final, sslErrors per connection
| |
| * Pause on connect:
| |
| ** Already discussed, implementation challenges and details known
| |
| ** Work is missing (Peter doesn’t have time)
| |
| * Performance: latency problems
| |
| ** Helped by the pre-connect
| |
| * Replacing <span class="caps">QNAM</span> port:
| |
| ** With Blink:
| |
| *** difficult, it’s too big for QtNetwork
| |
| *** no guarantee that we’ll get a “library” interface
| |
| ** libcurl:
| |
| *** they’re behind us
| |
| * <span class="caps">SPDY</span> / <span class="caps">HTTP</span>/2.0:
| |
| ** <span class="caps">HTTP</span>/2.0 adopted <span class="caps">SPDY</span> 3.0’s transport format
| |
| *** we can start supporting <span class="caps">SPDY</span> to get on our way to <span class="caps">HTTP</span>/2.0
| |
| ** libcurl has started
| |